State of AI Component Security
Open, reproducible data — not a black box. Run it yourself and get the same numbers.
Deterministic static scan of 32 real AI components (MCP servers, agent skills, and packages) — engine v0.17.0, ruleset 18, generated 2026-06-19. Every number is reproducible: the same public manifest through the same engine yields the same result. This characterizes the manifest; it is not a claim of statistical representativeness, and N grows as the manifest grows.
Risk level distribution
0 of 32 (0%) carry a deliberate malicious indicator. Powerful capabilities are common; that is capability, not malice — they do not raise the score.
OWASP Agentic Skills Top 10
| Category | Components | % |
|---|---|---|
| AST01 | 2 | 6.2% |
| AST02 | 7 | 21.9% |
| AST03 | 4 | 12.5% |
| AST04 | 0 | 0% |
| AST05 | 1 | 3.1% |
| AST06 | 0 | 0% |
| AST07 | 0 | 0% |
| AST08 | 0 | 0% |
| AST09 | 0 | 0% |
| AST10 | 0 | 0% |
AST06–AST10 are runtime/governance risks, not statically checkable, so they read 0 by construction. See the methodology mapping.
Capability prevalence
| dynamic_code_execution | 2 | 6.2% |
| filesystem_read | 13 | 40.6% |
| filesystem_write | 9 | 28.1% |
| install_time_execution | 7 | 21.9% |
| mcp_tools_detected | 10 | 31.2% |
| network_egress | 16 | 50% |
| shell_execution | 8 | 25% |
Reproduce
Re-derive every number with the open-source engine and the public manifest:
pip install skilltotal
python tests/manual_eval/corpus_report.py